Couple of weeks ago I had the chance to provision the new Web Application Proxy role and ADFS v3 on Windows Server 2012 R2. One of my clients wanted to expose their Intranet for external access. Initially I thought about exposing it using SAML, but because they have lots of BI reports using Excel Services and Reporting Services, migrating to SAML would break these solutions. Simply because Claims would need to be converted to Windows authentication. This article explains really well the BI caveats.

To get this working seamlessly, Kerberos comes up. By using Kerberos the backend doesn’t need to be changed. This is what I wanted.

I was looking at the web for resources about implementing WAP, ADFS and SP2013 on Kerberos and found nothing, but if you want to implement SAML, then you will find lots of stuff. Share-n-dipity is your blog for that.

My scenario comprises 2 web sites, Portal, which is a publishing site, and MySite, as the name suggests a mysite host site.

Because users will be allowed to connect from the internal network and from the internet, I have decided to only have the Default zone in use, of course running on a single HTTPS URL. The diagram below displays how users connect to the sites:

Figure 1 – Site Configuration

In my lab I have provisioned some servers to have specific roles, all of them on Windows Server 2012 R2, except SP2013 on Windows Server 2012 (it could be Windows Server 2012 R2 if you run SP2013 SP1). Anyways, below is my server/network diagram:

3) Double-click, then on the Delegation tab tick "Trust this computer for delegation to specified services only" and "Use any authentication protocol". Then add the service account by clicking the Add button.

Figure 8 – Add Delegation

4) Make sure you reference the account contoso\spapppool, which contains the SPNs. Select All services returned.